<br><font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">- rootca.pem contains the self-signed
root certificate</font>
<br><font size=2 face="sans-serif">(</font><font size=2><tt>/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK</tt></font><font size=2 face="sans-serif">)</font>
<br>
<br><font size=2 face="sans-serif">- I'm not 100% sure if the AD allows
client authentication (didn't find a place where </font>
<br><font size=2 face="sans-serif">to configure it....) but I made a small
test app based on the platform sdk</font>
<br><font size=2 face="sans-serif">and I had to import a client key first
into windows...When I didn't do that, I also </font>
<br><font size=2 face="sans-serif">got the server down error. So I supposed
that client authentication was required...</font>
<br>
<br><font size=2 face="sans-serif">thanks and regards,</font>
<br><font size=2 face="sans-serif">Geert</font>
<br>
<br><font size=2 face="sans-serif">PS My test environment:</font>
<br><font size=2 face="sans-serif">SuSE 10.1</font>
<br><font size=2 face="sans-serif">python: 2.4.2-18</font>
<br><font size=2 face="sans-serif">python-ldap: 2.0.11-14</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Michael Ströder <michael@stroeder.com></b></font>
<p><font size=1 face="sans-serif">10/17/2006 03:21 PM</font>
<td><font size=1 face="Arial"> </font>
<br><font size=1 face="sans-serif"> To:
geert.van.muylem@utimaco.be</font>
<br><font size=1 face="sans-serif"> cc:
python-ldap-dev@lists.sourceforge.net</font>
<br><font size=1 face="sans-serif"> Subject:
Re: SSL and AD</font></table>
<br>
<br>
<br><font size=2><tt>geert.van.muylem@utimaco.be wrote:<br>
><br>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/home/gvm/Temp/PYSSL/rootca.pem')<br>
</tt></font>
<br><font size=2><tt>Does rootca.pem contain the cert of<br>
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK?<br>
Or is there also an intermediate CA?<br>
</tt></font>
<br><font size=2><tt>> ldap.set_option(ldap.OPT_X_TLS_CERTFILE,<br>
> '/home/gvm/Temp/PYSSL/endor-crt.pem')<br>
><br>
> ldap.set_option(ldap.OPT_X_TLS_KEYFILE,'/home/gvm/Temp/PYSSL/endor-key.pem')<br>
</tt></font>
<br><font size=2><tt>Are you sure AD is configured to allow SSL client
authentication?<br>
</tt></font>
<br><font size=2><tt>> lconn=ldap.initialize("ldaps://eowyn.doom.be/")<br>
> lconn.simple_bind_s ('Administrator@doom.be','system')<br>
> lconn.unbind_s()<br>
</tt></font>
<br><font size=2><tt>Seems ok. But I hope you know that using the UPN instead
of a bind DB<br>
with simple_bind_s() is proprietary feature of MS AD.<br>
</tt></font>
<br><font size=2><tt>Ciao, Michael.</tt></font>
<br>